1.1 DHCP-Snooping Overview
For security consideration, a network
administrator may need to record the IP address which a user uses to access the
network. This helps to check the correspondence between the IP address obtained
from the DHCP server and user host’s MAC address.
l
A Layer 3 switch records user IP address through
DHCP relay.
l
A Layer 2 switch records user IP address by
listening DHCP broadcast packets, which is achieved by employing the
DHCP-snooping function.
Figure 1-1 illustrates the diagram of a network with the DHCP-snooping function implemented. In this network, the DHCP-snooping function is enabled on Switch A, an S3100-SI series Ethernet switch.
Figure 1-1 Network diagram for
DHCP-snooping implementation
Figure 1-2 shows the interaction between a DHCP client and a DHCP server when the former applies to the latter for an IP address.
Figure 1-2 The interaction between a
DHCP client and a DHCP server
With the DHCP-snooping function enabled, a
switch acquires the IP address which a host obtains from the DHCP server and
its MAC address in the following two ways:
l
Listening DHCP_ACK packets
l
Listening DHCP_REQUEST packets
I. DHCP-Snooping table
Upon the DHCP-Snooping function is enabled
on an S3100-SI series switch, the switch creates a DHCP-Snooping table to store
the information obtained from the DHCP server, including User IP addresses and
the corresponding MAC addresses. Each IP address-MAC address pair in a
DHCP-Snooping table forms a table entry (referred to as a DHCP-Snooping entry).
Note that a DHCP-Snooping entry does not
age automatically.
II. DHCP-Snooping Entry Updating
As DHCP-Snooping entries do not age, the
size of a DHCP-Snooping table increases with number of the IP addresses listened.
And a DHCP-Snooping entry remains in a DHCP-Snooping table even if the IP
address contained in it is released by the DHCP client. In this case, you can
remove invalid DHCP-Snooping entries by disabling the DHCP-Snooping function.
For a DHC-Snooping-enabled switch with
large amount of hosts attached to it, you can enable 802.1x authentication and
MAC address authentication as well for the switch to enable DHCP-Snooping
entries to be added/removed dynamically when the users go offline/online, and
thus to prevent memory overuse.
Table 1-1 Configure the DHCP-snooping function
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Enable the DHCP-snooping function
|
dhcp-snooping
|
Required
By default, the DHCP-snooping function is
disabled.
|
After the above configuration, you can
execute the display command in any view to display the correspondence
between user IP addresses and MAC addresses recorded by the DHCP-snooping
function.
Table 1-2 Display DHCP-snooping
|
Operation
|
Command
|
Description
|
|
Display the correspondence between user
IP addresses and MAC addresses recorded
|
display dhcp-snooping [ unit unit-id ]
|
You can execute this command in any view.
|
